Maestro Distribution Mode

Raj_Khatri — Tue, 29 Sep 2020 00:45:16 GMT

Has anyone faced issues with outbound DNS on R80.20SP with 2 MHO-140 + 2 members? We have multiple private interfaces and performing hide NAT for traffic leaving our external interface - pretty standard. We have noticed very slow and unresponsive DNS queries and lookups.

The default distribution mode is "manual-general" and after reading sk108842, when performing Hide NAT, the external interface should be configured as "network" instead of "user"

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108842&partition=Advanced&product=Scalable

After making the change to "auto-topology" and setting the external interface to "network," DNS queries are back to normal. Still experiencing odd DNS issues from certain private segments when pointing to an internal F5 VIP (using external forwarders), but wondering if anybody else has faced similar issues.

Before:
eth1-x :policy-internal
eth2-x: policy-external

After:
eth1-x :manual-internal
eth2-x: manual-external

Thanks

Re: Maestro Distribution Mode

Raj_Khatri — Thu, 01 Oct 2020 01:05:16 GMT

Turns out L4 is enabled by default and recommended by TAC to disable unless doing heavy NAT or SGMs are not balanced. DNS issues resolved.

topic Re: Maestro Distribution Mode in Hyperscale Firewall (Maestro)

Maestro Distribution Mode

Re: Maestro Distribution Mode